9

Frequently, Stack Overflow answers to JavaScript questions contain XSS vulnerabilities (or vulnerabilities of other kinds). For instance, this answer with 420 upvotes and a quarter of a million views to a question about decoding HTML entities is likely to cause an XSS vulnerability if used on untrusted input.

Given the popularity of the answer, we can safely assume that there are dozens - maybe hundreds or thousands - of websites using this vulnerable code snippet. Finding these is of interest to both blackhats (one of those sites might happen to be something worth hacking) and whitehats who would like to inform the owners of those applications about the vulnerability.

However, locating such websites is not a trivial problem. Google doesn't index JavaScript, so we can't simply Google for the snippet and find vulnerable sites. Searching GitHub finds some instances of the snippet being copied and pasted, but the source of most websites is not publicly hosted on GitHub. Spidering the entire internet myself and searching all the JavaScript on the web is, of course, a theoretical possibility - but not one that I (or most people) have the resources to do.

So what practical mechanism does a normal person have to search for places where a code snippet has been copied and pasted?

Community
  • 1
Mark Amery
  • 1,777
  • 2
  • 13
  • 19
  • 2
    I'm voting to close because searching for code snippets is not a security topic. Also, searching for vulnerable websites is a very broad topic which I don't think can be addressed in a single answer. – Arminius Dec 28 '16 at 18:00
  • 2
    @Arminius I disagree with both reasons for closure. To your first: scanning for servers containing particular code is *very much* a security topic (the majority of bot traffic any server I've ever run has received has been from vulnerability scanners; blackhats are the single most common group who need to search the web for people running particular software). To your second: you're essentially arguing "this specific question is too broad because it belongs to a larger category that as a whole would be too broad". Well, sure it does - but that could be said of every question ever, surely? – Mark Amery Dec 28 '16 at 18:06
  • 3
    @thel3l Note that I didn't call it a bad question. Searching for particular code snippets has relevance beyond security. It could be equally important for ordinary developers. That's why I'd rather see it on some other network site. You're free to disagree. – Arminius Dec 28 '16 at 18:49
  • basicallythis would go over simply searching a snippet but just for every use of `eval()` and everything alike right ? Another side could be to search for sites that have versions of libraries/frameworks with quite known vulnerabilites. To be honest, JS is moving so fast that it can be really hard, at the time of your question jquery was the dominant, but now you have others (that may rely on jQuery under the hood still) that provide some functionnalities that have the same kind of vulnerabilities (ie : angular 1.6 see the note where the drop the sandbox) – Walfrat Dec 28 '16 at 20:32
  • 1
    Why would a normal person want to see each and every site that has this problem? I would guess that they would be interested in websites that they are browsing to. In that case, they can probably use a browser extension that searches for a certain keyword in a website(that itself can be a big task) or they can have a repository of vulnerable websites. – Limit Dec 29 '16 at 00:40
  • I'm afraid that this isn't on-topic here. Although you intend to use this technique to search for code that relates to a particular security application, the question itself, the core problem, isn't a security question. Security is only a tangent. What you are asking for is a way to perform mass searches of websites for a certain code snippet. There is nothing inherent about security in that question. – schroeder Jan 06 '17 at 07:53

2 Answers2

1

There is no easy and powerfull way to mass scan for a given code.

Most of the possibilities I can think of have been written, but I will try to resume them into a complete answer. Also, my answer will applies for all snippets and not only for those from Stack Overflow.

  • Search for context : This is probably the most efficient way to search for source code. Are you searching for a vulnerabilities on a CMS (Wordpress, Joomla, e107) ? Most of them have specific context, such as Proudly powered by ... that you can Google. This does not seem apply to the questions you linked us, but sometimes, you can also guess a context where the code would be executed, which can help you to find them on traditionnal search engines.

  • Use source code search engines : Despite the fact that they are not as good as traditionnal search engines, you can still get some results for most popular website. There are plenty of them : nerdydata, globalogiq, publicwww, searchcode ...

  • Use code sharing platforms : As aborded in your question, you can use source code sharing platforms to find vulnerable code and trace back to the websites. Github has a effectively, but you might also try pastebin.

  • Crawl websites : This is probably the worst and slowly options, but it sure works.

If you are more interested about your own security, you can also :

  • Use a plugin : The plugin would look at the source code of the pages you visit and check if it can find a match with one of the code your searching for.

Of course, there are others powerfull way, such as using botnets, softwares you distribute ... but they require either time or illegal issues so they are not in the scope of the questions.

Xavier59
  • 2,874
  • 3
  • 17
  • 34
-2

  1. Instead of scraping all the sites on the Internet, why not just clone a copy of a single site that we deem interesting and then scrape the JS source for these snippets? Example - Clone example.com and then audit the source.

  2. Use a service like https://searchcode.com/ to do the work for us.

  3. Write a spider to scrape target domains. As you said, this will probably just remain a theory - most people don't have the resources to do this - use 1.

schroeder
  • 123,438
  • 55
  • 284
  • 319
thel3l
  • 3,384
  • 11
  • 24
  • 1
    I don't quite understand (1). Are you suggesting that we give up on finding sites across the web with this vulnerability, and instead only incorporate it into the set of things you check when investigating a specific site? – Xiong Chiamiov Dec 28 '16 at 17:42
  • @XiongChiamiov - Scraping all the sites on the internet as OP and I mentioned in 3 is unfeasible. The aim of scraping these sites is to discover sites that we're interested in exploiting, so why not check those sites directly? We'd save time and effort while obtaining much the same results. – thel3l Dec 28 '16 at 17:52
  • 1
    As for (2), unfortunately searchcode.com doesn't work very well (e.g. it [can't find any relevant results for the same search that I did on GitHub in the question](https://searchcode.com/?q=%24%28%22%3Cdiv%2F%3E%22%29.html%28encodedStr%29.text%28%29%3B)). A code search service that actually worked would be a useful partial answer to this question, but searchcode.com ain't such a beast. – Mark Amery Dec 28 '16 at 19:11
  • 1
    @Mark Amery - search code had a small bug in the GitHub section where it wouldn't actually input the results into github's search. I'm guessing this is the reason it isn't showing for you. – thel3l Dec 28 '16 at 19:14